Create a gist now

Instantly share code, notes, and snippets.

@mtigas /README.md
Last active Apr 21, 2017

What would you like to do?
this is the nginx config for https://mike.tig.as/, with config to avoid the BEAST exploit (by using TLS 1.2+ ciphers or RC4) and enable SSL perfect forward secrecy (by preferring ECDHE ciphers)

mike.tig.as server configuration

This gist contains the nginx and tor configurations for the mike.tig.as servers, mainly to show:

  • Use of the chris-lea/nginx-devel PPA to allow use of SPDY.
  • ssl_ciphers selection to mitigate BEAST attack, enable perfect forward secrecy if possible and select the strongest possible ciphers within those bounds. (Exception is made for several ciphers at the end of list, for compatibility reasons.)
  • A tor configuration file describing how I serve the mike.tig.as domain under a hidden service (tigas3l7uusztiqu.onion).
#!/bin/sh
# uses a PPA to enable an SPDY-ready version of nginx
# https://launchpad.net/~chris-lea/+archive/nginx-devel
sudo aptitude remove nginx-light nginx nginx-common nginx-full
sudo apt-get install python-software-properties software-properties-common
sudo add-apt-repository ppa:chris-lea/nginx-devel
sudo aptitude update
sudo apt-get install nginx-light
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 2048;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 128;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# NYPL Time Traveller (see below --- https://mike.tig.as/nypl-hack/ )
# I am hosting it because Foursquare API pingback requires an SSL'd server
upstream nypl_hack_app {
#server 10.177.25.214:61234 fail_timeout=0;
server 127.0.0.1:61234 fail_timeout=0;
}
###############################################################################
# mike.tig.as main
###############################################################################
server {
listen 443 ssl spdy;
server_name mike.tig.as;
add_header "X-If-You-Are-Reading-This" "you are too close";
add_header "X-Colophon" "https://mike.tig.as/colophon/";
add_header "X-Box" "198";
add_header "Strict-Transport-Security" "max-age=86400";
ssl on;
ssl_certificate /home/mtigas/mike.tig.as/ssl-201307/server.crt;
ssl_certificate_key /home/mtigas/mike.tig.as/ssl-201307/server.key;
###################
# Disable SSLv2 by not including it in this list.
# Can remove SSLv3 if you don't need to support IE6 (or older) clients
###################
#ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
###################
# this list is basically an filtered/reordered list of the output of:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/
# Modifications include removing ECDSA, disabling almost all non-ephemeral key
# exchange ciphersuites to strongly prefer perfect forward secrecy (and only
# leave alternative as a fallback), removing fallbacks that wouldn't realistically
# happen in real browsers.
# We end up with a list of 11 ciphersuites: 4 TLS 1.2 ciphersuites, 4 fallbacks
# with PFS, then 3 weaker fallbacks for compatibility.
# Expanded list:
# https://gist.github.com/mtigas/8591092/raw/gistfile1.txt
#
# If you don't need to support IE WinXP (or older) clients you can remove the
# weak fallbacks after DHE-RSA-AES128-SHA to force PFS ciphersuites for all clients
# and protect against downgrade attacks.
#
# For performance, AES256 ciphersuites can be removed, too. (Leaves 4 or 7 ciphersuites.)
###################
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDH-RSA-AES128-SHA:AES128-SHA:DES-CBC3-SHA;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA;
ssl_prefer_server_ciphers on;
ssl_stapling on;
resolver 8.8.8.8 8.8.4.4;
ssl_trusted_certificate /home/mtigas/mike.tig.as/ssl-201307/server.crt;
resolver_timeout 5s;
root /home/mtigas/mike.tig.as/html;
index index.html index.htm;
location /nypl-hack/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://nypl_hack_app;
}
# things moved around
rewrite ^/200([5-9])/(.*)$ /blog/200$1/$2 permanent;
rewrite ^/oldblog/(.*)$ /blog/$1 permanent;
rewrite ^/feeds/blog/$ /feeds/blog.rss permanent;
rewrite ^/feed/blog/$ /feeds/blog.rss permanent;
rewrite ^/feed/rss/$ /feeds/blog.rss permanent;
rewrite ^/feed/blog/rss/$ /feeds/blog.rss permanent;
rewrite ^/feed/atom/$ /feeds/blog.rss permanent;
rewrite ^/feed/blog/atom/$ /feeds/blog.rss permanent;
rewrite ^/feeds/rss/$ /feeds/blog.rss permanent;
rewrite ^/feeds/blog/rss/$ /feeds/blog.rss permanent;
rewrite ^/feeds/atom/$ /feeds/blog.rss permanent;
rewrite ^/feeds/blog/atom/$ /feeds/blog.rss permanent;
rewrite ^/feed/$ /feeds/blog.rss permanent;
rewrite ^/web-dev/$ /portfolio/ permanent;
rewrite ^/work/$ /portfolio/ permanent;
rewrite ^/about/colophon/$ /colophon/ permanent;
rewrite ^/projects/$ /portfolio/ permanent;
# old photo galleries with inbound links from blogs/other sites
rewrite ^/blog/photography/xmas2008/$ http://www.photoreflect.com/pr3/thumbpage.aspx?e=4360019 permanent;
rewrite ^/photography/xmas2008/$ http://www.photoreflect.com/pr3/thumbpage.aspx?e=4360019 permanent;
rewrite ^/photo/xmas2008/$ http://www.photoreflect.com/pr3/thumbpage.aspx?e=4360019 permanent;
rewrite ^/blog/photo/xmas2008/$ http://www.photoreflect.com/pr3/thumbpage.aspx?e=4360019 permanent;
rewrite ^/photography/07moyo/$ http://www.flickr.com/photos/madmannova/sets/72157604764220024/ permanent;
rewrite ^/photo/07moyo/$ http://www.flickr.com/photos/madmannova/sets/72157604764220024/ permanent;
# old content pages (temp redir in case I bring these back)
rewrite ^/blog/photography/$ http://www.flickr.com/photos/madmannova/ redirect;
rewrite ^/photography/$ http://www.flickr.com/photos/madmannova/ redirect;
rewrite ^/photo/ http://www.flickr.com/photos/madmannova/ redirect;
rewrite ^/blog/photo/ http://www.flickr.com/photos/madmannova/ redirect;
# renamed/moved blog posts (popular enough -- with incoming links -- to warrant redir)
rewrite ^/blog/2008/03/15/project-chanology/$ /blog/2008/03/15/project-chanology-2/ permanent;
rewrite ^/blog/2006/10/29/world-series-2006-wrap/$ /blog/2006/10/29/and-the-folks-went-crazy/ permanent;
rewrite ^/blog/2008/02/10/project-chanology/$ /blog/2008/02/10/anonymous-protests-church-of-scientology/ permanent;
rewrite ^/2008/03/15/project-chanology/$ /blog/2008/03/15/project-chanology-2/ permanent;
rewrite ^/2008/02/10/project-chanology/$ /blog/2008/02/10/anonymous-protests-church-of-scientology/ permanent;
rewrite ^/2006/10/29/world-series-2006-wrap/$ /blog/2006/10/29/and-the-folks-went-crazy/ permanent;
rewrite ^/blog/2008/07/23/blogmaking-django-newforms-admin/comment-page- /blog/2008/07/23/blogmaking-django-newforms-admin/ permanent;
# popular comment redir URLs that somehow ended up in Google
rewrite ^/comments/cr/13/433/$ /blog/2008/07/23/blogmaking-django-newforms-admin/ permanent;
rewrite ^/comments/cr/13/449/$ /blog/2009/05/11/eulogy-on-a-student-center/ permanent;
rewrite ^/comments/cr/13/463/$ /blog/2009/07/18/high-fidelity/ permanent;
rewrite ^/comments/cr/13/470/$ /blog/2009/09/06/im-kind-of-a-big-deal/ permanent;
# 2002-2004 era hand-edited blog (samuke.net, early miketigas.com)
rewrite ^/blog_old/2002-2003.php$ /blog/2002/ permanent;
rewrite ^/blog_old/2003oct-2003nov.php$ /blog/2003/ permanent;
rewrite ^/blog_old/2003dec.php$ /blog/2003/12/ permanent;
rewrite ^/blog_old/2004jan.php$ /blog/2004/01/ permanent;
rewrite ^/blog_old/2004feb.php$ /blog/2004/02/ permanent;
# shhhh
rewrite ^/sghsfghs$ http://www.youtube.com/watch?v=oHg5SJYRHA0 redirect;
rewrite ^/sghsfghs/$ http://www.youtube.com/watch?v=oHg5SJYRHA0 redirect;
}
###############################################################################
# tor hidden service --- tigas3l7uusztiqu.onion -> mike.tig.as
# served on 127.0.0.1:15517, which tor proxies to. SEE TORRC BELOW.
###############################################################################
server {
listen 127.0.0.1:15517;
server_name tigas3l7uusztiqu.onion;
root /home/mtigas/mike.tig.as/html;
index index.html index.htm;
# things moved around
rewrite ^/200([5-9])/(.*)$ /blog/200$1/$2 permanent;
rewrite ^/oldblog/(.*)$ /blog/$1 permanent;
rewrite ^/feeds/blog/$ /feeds/blog.rss permanent;
rewrite ^/feed/blog/$ /feeds/blog.rss permanent;
rewrite ^/feed/rss/$ /feeds/blog.rss permanent;
rewrite ^/feed/blog/rss/$ /feeds/blog.rss permanent;
rewrite ^/feed/atom/$ /feeds/blog.rss permanent;
rewrite ^/feed/blog/atom/$ /feeds/blog.rss permanent;
rewrite ^/feeds/rss/$ /feeds/blog.rss permanent;
rewrite ^/feeds/blog/rss/$ /feeds/blog.rss permanent;
rewrite ^/feeds/atom/$ /feeds/blog.rss permanent;
rewrite ^/feeds/blog/atom/$ /feeds/blog.rss permanent;
rewrite ^/feed/$ /feeds/blog.rss permanent;
rewrite ^/web-dev/$ /portfolio/ permanent;
rewrite ^/work/$ /portfolio/ permanent;
rewrite ^/about/colophon/$ /colophon/ permanent;
rewrite ^/projects/$ /portfolio/ permanent;
# old photo galleries with inbound links from blogs/other sites
rewrite ^/blog/photography/xmas2008/$ http://www.photoreflect.com/pr3/thumbpage.aspx?e=4360019 permanent;
rewrite ^/photography/xmas2008/$ http://www.photoreflect.com/pr3/thumbpage.aspx?e=4360019 permanent;
rewrite ^/photo/xmas2008/$ http://www.photoreflect.com/pr3/thumbpage.aspx?e=4360019 permanent;
rewrite ^/blog/photo/xmas2008/$ http://www.photoreflect.com/pr3/thumbpage.aspx?e=4360019 permanent;
rewrite ^/photography/07moyo/$ http://www.flickr.com/photos/madmannova/sets/72157604764220024/ permanent;
rewrite ^/photo/07moyo/$ http://www.flickr.com/photos/madmannova/sets/72157604764220024/ permanent;
# old content pages (temp redir in case I bring these back)
rewrite ^/blog/photography/$ http://www.flickr.com/photos/madmannova/ redirect;
rewrite ^/photography/$ http://www.flickr.com/photos/madmannova/ redirect;
rewrite ^/photo/ http://www.flickr.com/photos/madmannova/ redirect;
rewrite ^/blog/photo/ http://www.flickr.com/photos/madmannova/ redirect;
# renamed/moved blog posts (popular enough -- with incoming links -- to warrant redir)
rewrite ^/blog/2008/03/15/project-chanology/$ /blog/2008/03/15/project-chanology-2/ permanent;
rewrite ^/blog/2006/10/29/world-series-2006-wrap/$ /blog/2006/10/29/and-the-folks-went-crazy/ permanent;
rewrite ^/blog/2008/02/10/project-chanology/$ /blog/2008/02/10/anonymous-protests-church-of-scientology/ permanent;
rewrite ^/2008/03/15/project-chanology/$ /blog/2008/03/15/project-chanology-2/ permanent;
rewrite ^/2008/02/10/project-chanology/$ /blog/2008/02/10/anonymous-protests-church-of-scientology/ permanent;
rewrite ^/2006/10/29/world-series-2006-wrap/$ /blog/2006/10/29/and-the-folks-went-crazy/ permanent;
rewrite ^/blog/2008/07/23/blogmaking-django-newforms-admin/comment-page- /blog/2008/07/23/blogmaking-django-newforms-admin/ permanent;
# popular comment redir URLs that somehow ended up in Google
rewrite ^/comments/cr/13/433/$ /blog/2008/07/23/blogmaking-django-newforms-admin/ permanent;
rewrite ^/comments/cr/13/449/$ /blog/2009/05/11/eulogy-on-a-student-center/ permanent;
rewrite ^/comments/cr/13/463/$ /blog/2009/07/18/high-fidelity/ permanent;
rewrite ^/comments/cr/13/470/$ /blog/2009/09/06/im-kind-of-a-big-deal/ permanent;
# 2002-2004 era hand-edited blog (samuke.net, early miketigas.com)
rewrite ^/blog_old/2002-2003.php$ /blog/2002/ permanent;
rewrite ^/blog_old/2003oct-2003nov.php$ /blog/2003/ permanent;
rewrite ^/blog_old/2003dec.php$ /blog/2003/12/ permanent;
rewrite ^/blog_old/2004jan.php$ /blog/2004/01/ permanent;
rewrite ^/blog_old/2004feb.php$ /blog/2004/02/ permanent;
# shhhh
rewrite ^/sghsfghs$ http://www.youtube.com/watch?v=oHg5SJYRHA0 redirect;
rewrite ^/sghsfghs/$ http://www.youtube.com/watch?v=oHg5SJYRHA0 redirect;
}
###############################################################################
# server redirects
###############################################################################
server {
listen 80;
server_name mike.tig.as;
rewrite ^/(.*) https://mike.tig.as/$1 permanent;
add_header Strict-Transport-Security max-age=86400;
}
server {
listen 80;
server_name v3.mike.tig.as lolme.me www.lolme.me old.miketigas.com www.miketigas.com howedgy.info www.howedgy.info minutiae.lolwut.me miketigas.com www.mike.tig.as 2.mike.tig.as;
rewrite ^/(.*) https://mike.tig.as/$1 permanent;
}
server {
listen 80;
server_name 198.61.228.27 10.177.25.214 127.0.0.1 web1.tig.as tig.as yu8.in;
rewrite ^/(.*) https://mike.tig.as/$1 redirect;
}
server {
listen 80;
server_name onionbrowser.com www.onionbrowser.com;
rewrite ^/(.*) https://mike.tig.as/onionbrowser/$1 permanent;
}
server {
listen 80;
server_name media.miketigas.com media.mike.tig.as;
rewrite ^/(.*) https://d2p12wh0p3fo1n.cloudfront.net/$1 permanent;
}
server {
listen 80;
server_name media2.miketigas.com media3.miketigas.com;
rewrite ^/(.*) https://mtigas1.appspot.com/$1 permanent;
}
server {
listen 80;
server_name stl.nationbrowse.com;
rewrite ^/(.*) https://mike.tig.as/ redirect;
}
server {
listen 80;
server_name nationbrowse.com www.nationbrowse.com;
rewrite ^/(.*) https://mike.tig.as/blog/2010/02/22/nationbrowse/ permanent;
}
server {
listen 80;
server_name xn--zg-lqa98cwa62pqejj5alnoo4dqrda9cvaw3a474aadda.yu8.in xn--zg-lqa98cwa62pqejj5alnoo4dqrea8cvaw3a174aagda.yu8.in xn--zg-lqa98cwa62pqejj5alnoo4dqrea8cvaw3a61ni0cgada59b.yu8.in xn--zg-lqa98cwa76qhazjlmm6copca4ctuz38lbycgada16b.yu8.in;
rewrite ^/(.*) https://mike.tig.as/$1 redirect;
}
server {
listen 80;
server_name xn--j-0cab.yu8.in;
rewrite ^/(.*) http://shiticareabout.tumblr.com/$1 permanent;
}
server {
listen 80;
server_name gheat_demo.nationbrowse.com gheat.miketigas.com;
rewrite ^/(.*) https://github.com/mtigas/django-gheat redirect;
}
server {
listen 80;
server_name shouldilivetweetthescanner.info;
rewrite ^/(.*) http://www.shouldilivetweetthescanner.info/ permanent;
}
}
# A Tor config that just boots up, runs as a client (not a relay), and
# allows access to our .onion website.
# Ubuntu's torrc has this (since it installs Tor as a system service)
RunAsDaemon 1
# Some smart options to have.
AvoidDiskWrites 1
HardwareAccel 1
ClientOnly 1
ExitPolicy reject *:*
# With these three config lines, we serve our website (see nginx.conf) on a .onion
# domain. The name is generated randomly (an RSA key is generated & the domain is
# based on the hash), but you can brute force for partial strings by using
# https://github.com/freaken/shallot (this fork has important fix for math bug).
# This is how I get my .onion domain to start with "tigas".
# -> tigas3l7uusztiqu.onion
HiddenServiceDir /home/mtigas/tigas_hidserv
HiddenServicePort 80 127.0.0.1:15517
HiddenServicePort 443 127.0.0.1:443
##### Regarding censorship #####
# You can host a hidden service even if you are behind a firewall
# and can't open ports. It won't operate as a publicly-accessible
# website, but you can tell nginx (or any other server) to listen
# on 127.0.0.1 (whatever port you desire). Tor's hidden service
# architecture effecrtively punches a hole through firewalls and
# censors.
# If you're in an extremely hostile situation where the content
# you are publishing may be censored (or may get you into trouble),
# you are probably also in a situation where Tor is blocked. You
# can host a hidden service even in this situation, if you enable
# bridges. You can circumvent deep packet inspection censorship
# techniques by connecting to Tor via an obfsproxy bridge.
#
# See https://bridges.torproject.org/ for details on bridge relays.
# See https://www.torproject.org/projects/obfsproxy.html.en for details on obfsproxy.
#UseBridges 1
#ClientTransportPlugin obfs2,obfs3 exec /usr/local/bin/pyobfsproxy managed
#Bridge 54.218.98.220:443
#Bridge obfs2 128.31.0.34:1051
#Bridge obfs3 37.247.49.206:35254
# You shouldn't use these "Bridge" lines, though.
# Get bridge lines from https://bridges.torproject.org/bridges (since they'll be up
# to date and less likely to be blocked from a blacklist).

Would you set up a hidden service for me on a VPS for a reasonable fee?

Thanks! Very Cool!

kant commented Apr 21, 2017

First, kudos for share this kind of data.
On torcc on #28, there is a typo: effecrtively

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment